The aggregation of personal health information may come about in a variety of
ways, some doubtless well meaning and others driven by nonclinical pressures.
Examples in current and proposed NHS systems include:

the proposed NHS Clearing Service for in-patient contract data will
contain information on hospital treatment of patients throughout the country.
Requests by the BMA to review the functional specification of this system have
been dismissed with the assertion that this information is not in the public
domain;

the Administrative Registers contain sensitive information such as past
registration for contraceptive services and relationships with mental health
institutions;

at least two systems have been developed that enable health authorities
to link up item-of-service claims, prescriptions and contract data to create a
`shadow' patient record outside clinical control [AIS95] [DL95];

The above systems have been commissioned despite agreement between the NHS
Executive and the clinical unions that electronic patient records shall be at
least as secure as paper records, and established guidelines of the GMSC/RCGP
Joint Computer Group which state that no patient should be identifiable, other
than to the general practitioner, from any data sent to an external
organisation without the informed consent of the patient [JCG88].

A strategic goal of the NHSE's Information Management Group is an entirely
shared electronic patient record; we understand that the collection of GP data
is to be the driving force, and that GP systems will be interrogated by NHS
systems. However these goals are in clear conflict with the ethical position of
the BMA [Som93] as well as the Joint Computer Group guidelines mentioned above.

Patient consent for the sharing of personal health information with NHS
administrators is not present; indeed, a survey shows that most patients are
unwilling to share personal health information with them [Haw95]. That this
information should be collected into large aggregates that are outside the
control even of healthcare professionals is extremely dangerous; as the US
experience has shown, the mere existence of such a potentially valuable
resource will create strong political pressures for legitimised access by law
enforcement agencies, insurance companies and others.

The response of the BMA includes this document. Its primary purpose is to help
clinical professionals discharge their ethical and legal responsibilities by
selecting suitable systems and operating them safely. It seeks to define what
kind of systems may prudently be trusted to receive personal health
information, and for that we shall build on the threat model developed in this
section to develop a security policy for clinical information systems. This
consists of a compact set of principles that if implemented properly will
enforce patient consent effectively in communicating computer systems.